Skip to main content

Timetics CVE-2026-39432

| EUVDEUVD-2026-29392 HIGH
Missing Authorization (CWE-862)
2026-05-12 Patchstack GHSA-7x9f-64r7-34cc
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 08:46 vuln.today
CVE Published
May 12, 2026 - 07:49 nvd
HIGH 8.2

DescriptionCVE.org

Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Timetics: from n/a through 1.0.53.

AnalysisAI

Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.

Technical ContextAI

Timetics is a WordPress plugin by Arraytics providing appointment scheduling and booking management functionality. The vulnerability stems from CWE-862 (Missing Authorization), where security checks fail to verify user permissions before granting access to restricted functions or endpoints. This class of flaw typically occurs when developers implement authentication (verifying identity) but omit authorization checks (verifying permissions), allowing any authenticated user-or in this case, unauthenticated actors per CVSS PR:N-to access functionality intended for administrators or privileged roles. WordPress plugins commonly expose REST API endpoints or AJAX handlers that require explicit capability checks using functions like current_user_can(); omitting these checks creates authorization bypasses. The affected CPE (cpe:2.3:a:arraytics:timetics) confirms all versions through 1.0.53 contain this flaw.

RemediationAI

Immediately upgrade Timetics to version 1.0.54 or later if available, checking WordPress.org plugin repository or Arraytics vendor site for the patched release. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-53-broken-access-control-vulnerability for confirmed fix version and upgrade instructions. If no patch is available, implement compensating controls: (1) Disable the Timetics plugin entirely until patched version releases-this eliminates booking functionality but removes attack surface; (2) Restrict network access to WordPress admin endpoints (/wp-admin/, /wp-json/) via IP allowlisting in .htaccess or web application firewall, limiting exposure to trusted networks only-note this may break legitimate remote admin access and mobile booking workflows; (3) Deploy WordPress security plugin with virtual patching capability (e.g., Wordfence, Patchstack) to block exploitation attempts at the WAF layer-effectiveness depends on signature coverage and may cause false positives. Monitor WordPress access logs for suspicious unauthenticated POST/GET requests to Timetics endpoints (/wp-json/timetics/v1/ or similar) as potential exploitation indicators.

Share

CVE-2026-39432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy